Many computing systems contain proprietary or sensitive information, and thus require that users enter a log-in password in order to access the systems. Preferably, no one should know a user's password except the user. Previously, if a user forgot his or her password, the user was required to contact a security officer in order to reset the password. This prior method of resetting a password was problematic for several reasons.
For security, a security officer needed to verify a user's identity before resetting the user's password. In many cases, the only way a security officer could verify the user's identity was to query the user using information, such as a social security number, available to the security officer. This information would often be readily available to or known by other people as well. Thus, a person having a knowledge of a user's name and such other information could fraudulently obtain access to a computing system.
Furthermore, the process was inefficient because a security officer was required to manually reset a user's password. In addition, because the security officer assigned a new password to the user during the reset process, the security officer was given knowledge of the user's password. Consequently, after receiving a new password from the security officer, the user was required to change the password again so that it would not be known to the security officer.